(Editor’s Note: Ray Potter, the blog’s author, is the CEO and Co-founder of SafeLogic.)
Carbon Black has just announced the successful FIPS 140-2 validation of their Carbon Black Cryptographic Module and availability within their Cb Response and Cb Protection products. Our team at SafeLogic is extremely proud to power that effort and in the spirit of our partnership, I’m here to explain what FIPS 140-2 is and why it’s a big deal.
In 1995, NIST (the U.S. National Institute of Standards and Technology) and their Canadian counterpart CSE (Communications Security Establishment) teamed up to establish the mechanisms for testing and certifying that the FIPS 140 benchmark had been met. NIST and CSE employees staff the CMVP (Cryptographic Module Validation Program) and CAVP (Cryptographic Algorithm Validation Program), which cooperate with independent third party testing labs. While the labs conduct functional testing, it is the CMVP that ultimately reviews the results and issues the FIPS 140 validation. This formalized the process into the certification system we know today.
FIPS 140 was written as a requirements document for encryption with the goal to standardize a minimum strength level for the cryptography used in all Sensitive But Unclassified (SBU) federal operating environments. With so much riding on the enforcement of these minimums, the importance of the CMVP’s role cannot be understated.
While there are four available levels in the FIPS 140 program, many confuse the “dash two” designation as an indication of a Level 2 validation. To be accurate, FIPS 140-2 is simply the second iteration (hence the -2 suffix) of the encryption benchmark. Industry insiders have long joked that it’s been so long between updates that the next version will have to be FIPS 140-4.
Another common misconception surrounding the four levels is that they are a linear progression. In reality, it is a checkbox – either the cryptographic module has been validated and certified to meet the standard, or it hasn’t been. The levels represent requirements for different types of technology, not a gradient. Modules do not receive A+ or B- grades, they simply get a thumbs up or a thumbs down for the applicable validation level. Software modules are validated for Level 1, while hardware typically validates at Level 2 after meeting physical requirements. Levels 3 and 4 are relatively rare validations, demanding additional expensive hardware features without significant value added for the end user.
FIPS 140-2 has become ubiquitous outside the government as well. It has been adopted as a building block validation by most technology whitelisting programs in regulated industries like finance, healthcare, legal, and utilities. This was as intended by NIST. As a clearinghouse for the public and private sectors, recommendations such as Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, has become the top reference document for many other programs. SP 800-53 directs FIPS 140-2 validated encryption to be deployed for all cryptographic functions, creating a transitive requirement. As a result, programs such as FedRAMP, FISMA, DoDIN APL, Common Criteria, HIPAA and HITECH healthcare regulations inherit the dependency on FIPS 140-2 validation.
Note that FIPS 140-2 does not demand that the entire product receive validation. In fact, cryptographic testing is irrelevant for product features outside of the encryption module itself and can create undue complication in the validation process. The Carbon Black Cryptographic Module exemplifies the modern strategy that we support at SafeLogic.
By focusing the validation boundaries on the only technology relevant to FIPS 140-2 testing, the result is a well-honed software module that can be integrated within other Carbon Black products. Revalidation is rare and the process is accelerated, meaning that the latest, cutting edge solutions from Carbon Black can be deployed immediately upon release into federal environments. This is a significant win for the government and we’re happy to be part of it.